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What is LEVITATION? 

A behaviour-based target discovery project 

Multi-disciplinary team 

Prototyping and delivering advances in: 

• Behavioural tradecraft 

• Hypothesis tradecraft 

• Tradecraft automation 



TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA 







Current 



Active 

FFU 




Sequential numbers 
Obvious selector names 
Web search terms 



Hypotheses 

In Development 

GPS waypoints 
Devices close to places 
Telephony gaps 




Targets of foreign SIGINT 
agencies 

Missed calls 
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FFU Hypothesis 

Extremists use Free File 
Upload (FFU) sites 
differently than the general 
public. 

Al-Qaida uses FFU sites to 
distribute Jihadist propaganda 

Extremists use FFU sites to 
distribute training materials 







What do we need? 



A list of suspect documents 
A list of FFU URLs referring to those documents 
A list of IPs downloading those URLs 



New documents are found by CWOC (CSEC Web 
Operations Centre) retrieval from URLs, so 
that's the easy part. 
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New URLs 



CSEC's web forums team 
2 nd Party reports & alerts 
Machine Learning 

Learning the textual 
context for the URLs in 
web forums 

HTTP Refer re rs 

Follow URL referrers back 
to the originating site 



Previous Correlations 
analysis 

Using tech techniques to 
figure out what else that 
user was up to at the 
same time 

e.g. Google analytics 
cookies 
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Get STALKER Hostnames t>*mq operations tiuiia bUL torts i ALAtK Keterers uummvl Uuerv ht*U tor I ALtsbK Keterers K^Unit 



IP Geo and Network Info 
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Mail New URLs 



□ 



Output new URLs 
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FFU Events Collection 

ATOMIC BANJO (Special Source) is collecting HTTP 
metadata for 102 known FFU sites. 





We see about 10-15 million FFU events per day 
All the FFU Events are available thru OLYMPIA 
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EE?? 



Looking for a few good documents 



We only care about the 2,200 URLs 
that point to documents of 
interest. 

e.g. How to make a gas b omb 

www.sendspace.com/file^ 

Every day we sort through the 10- 
15M events for the interesting 
ones. 

We're finding about 350 interesting 
download events per month. 
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Documents vary 



Chloroform in a Lowes bucket Bajadin Explosives Manual 




And lots of pictures of cars on fire 






Filtering out Glee Episodes 
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Create HTTFLRLINE SQL Dummy 1 Query HT 
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Sort b/ time 



Master List Extremist Do currents URLs 




Criprfte UTC^ate 
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GetURI. Length 



Convert! String IPs Master FFU Hits Add constants Stream lookup 
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Create HTTP_LOCATION SQL Dummy 2 Query HTTP_LOCATION 




Processed FFU records 



New FFU records 
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Resulting events 



FFU Hits 




-|g| X| 


w Computer ▼ shares (Wcorp) (Rr) Share.l ▼ Levitation ▼ FFU ▼ FFU Hits ▼ 


» | Search FFU Hits 




File £dit View look Hdp 



Organize ^ Open New folder 

Favontes 
■ Desktop 
4 Downloads 
>*. Recent Places 



- 3 * 




Compute: 

^ Windows (C:) 
k DVD Drive (D:) 

Sf 1 ■■’ \corp\users\csec_users) (Ft) 
shares (Wcorp) (RO 
Reserved 
rg, Share_l 
®. Share„2 
Gfl t Share_3 
3, Share_4 
fg, Share_5 
3 Share_6 
rg. Tempshare 

apps (\\corp\groups\sigint) (Sc) 

^ Network 

Control Panel 
Recycle Bin 

[5j CERRJD DM Extension 
SQL Developer 
XMind 

^5 sqldevetoper-3.1.06.82 



Date modified 



Type 



! See 



01-20-201 2 FFU Hit Selectol| 

P»U fn)rl»r 



01-20-2012 FFU Hit Selecto 



01-20-2012 FFU Hit Selecto 
01-20-2012 FFU Hit Selecto 
01-21-2012 FFU Hit Selected 
01-21-2012 FFU Hrt SelectcJ 
01-21-2012 FFU Hit Selecto 

01- 22-2012 FFU Hit Selecto] 

.1 01-23-2012 FFU Hit Selecto 
M 01-25-2012 FFU Hit Selecto 
. k 01-27-2012 FFU Hit Selecto 
it 01-28-2012 FFU Hit Selecto 
I 01-31-2012 FFU Hit Selecto 

02- 01-2012 FFU Hit Selecto 
02-02-2012 FFU Hit Selecto 
02-06-2012 FFU Hit Selecto 

> 02-13-2012 FFU Hit Selecto 
£ 02-13-2012 FFU Hit Selecto 
H 02-14-2012 FFU Hit Selecto 
1 02-15-2012 FFU Hit Selecto 
02-17-2012 FFU Hit Selecto 
02-18-2012 FFU Hit Selecto 
£ 02-20-2012 FFU Hit Selecto 
02-22-2012FFU Hit Selectoi' 

02-24-2012 FFU Hit Selecto 

02- 28-2012 FFU Hrt Selecto 
| 02-28-2012 FFU Hit Selecto 
| 02-28-2012 FFU Hit Selecto 
| 03-01-2012 FFU Hit Selecto 

03- 03-2012 FFU Hit Selecto 
03-03-2012 FFU Hit Selecto 
03-04-2012 FFU Hit Selecto 
03-07-2012 FFU Hit Selecto 

i. 03-07-2012 FFU Hit Selecto 
. 03-10-2012 FFU Hrt Selecto 
I- 03-16-2012 FFU Hrt Selecto 
03-20-2012 FFU Hit Selecto 
FFU From Mathieu 

Date modified; 06/03/201 2 1037 

Offline M/iMUi-Mlitv' Not 



| Iraq 

taudi Arabia 
hie men 

:upied Palestinian Territory 
udi Arabia 

I Occupied Palestinian Territory 



I Occupied Palestinian Territory 
1 ma 

I Ls 



n Anonymizer 



rtugaJ 



n Anonymizer 



06^03/2012 10:27 ... 


File folder 


06/03/2012 832 AM 


File folder 


07/02/2012 12:15 ... 


File folder 


19/03/2012 11:47 ... 


File folder 


08/03/2012 10-36 ... 


File folder 


10/02/2012 1:41 PM 


File folder 


07/02/2012 12:15 ... 


File folder 


09/02/2012 10:41 ... 


File folder 


06/03/201 2 1220 ... 


File folder 


06/03/2012 1238 ... 


File folder 


09/02/2012 10:54 ... 


File folder 


05/03/2012 1026 ... 


File folder 


05/03/201 2 1036 ... 


File folder 


07/02/2012 12:17 ... 


File folder 


08/03/2012 935 AM 


File folder 


23/03/2012 1002 ... 


File folder 


08/03/201 2 9:52 AM 


File folder 


05/03/201 2 10-57 ... 


File folder 


22/03/2012 1225 ... 


File folder 


09/03/2012 857 AM 


File folder 


0503/2012 1:16 PM 


File folder 


09/03/2012 8 55 AM 


File folder 


09/03/2012 854 AM 


File folder 


09/03/201 2 9:50 AM 


File folder 


09/03/201 2 2:26 PM 


File folder 


20/03/2012 933 AM 


File folder 


20/03/2012 953 AM 


File folder 


22/03/2012 12:45 ... 


File folder 


22/03/2012 IdS PM 


File folder 


27/03/2012 1059 ... 


Fife folder 


22/03/2012 1:29 PM 


File folder 


27/03/2012 1258 ... 


File folder 


28/03/2012 11:07 ... 


File folder 


28/03/2012 lld3 ~ 


File folder 


28/03/2012 109 PM 


File folder 


29/03/2012 11 d8 ... 


File folder 


09/03/2012 3 02 PM 


Microsoft Excel W... 



- 



AM Offline status: Online 
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Start analysis with event info 



FFU hit from selector 

7/03/2012 7:46:51 geolocated to Kenya, 
accessing The Explosives Course through 
FFU site sendspace.com with HTTP user 
agent Mozilla/5.0 (Ubuntu; Xll; Linux 
x86_64; rv:9.0.1) Gecko/20100101 Firefox/ 
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Correlating other selectors with the IP 



7/03/2012 7:46:51 geolocated to Kenya, 
accessing The Explosives Course through 
FFU site sendspace.com with HTTP user 
agent Mozilla/5.0 (Ubuntu; Xll; Linux 
x86_64; rv:9.0.1) Gecko/20100101 Firefox/ 
9.0.1 





FFU hit from selector 



on 




rP Can we correlate any other selectors with this IP address? 



Mutant Broth query on IP 



: or 5 hours on either side of 7/03/2012 7:46:51 




682 events including 77 with an exact match of the user agent above yielding 
a Facehook ID Google Prefid Cookie^^^^^^^Han 




larch 7, 2012. Mutant Broth query..xlsx fl^ 
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Correlating Facebook cookie 



Open Source research indicates 
that the user of Facebook ID 
■s based in Dubai, 
United Arab Emirates 



-| Marina Profile Query on Facebook User Cookie|mjH|)bserved in Mutfnt Broth Query above 



- tots of events rncludingregistration email addressUfgmail.com and Facebook namel 

f 

Can we correlate any other selectors with this Facebook ID Cookie? 



j FFU Hit Selector! H arch 7, 2012. Marina Profile Query on Facebook Id 
L_j Mutant Broth Sub-Query on Facebook User Cookie I IHHI bbserved in Mutant Broth Query above 



946 events with 893 matching exactly the user agent above 

- FFU Hit Selector ^^^HMarch 7, 2012. Mutant Broth Sub-Query on Facebook ID^^^!p$x 




FFU hit from selectorUHHon 
7/03/2012 7:46:51 geolocated to Kenya, 
accessing The Explosives Course through 
FFU site sendspace.com with HTTP user 
agent Mozilla/5.0 (Ubuntu; Xll; Linux 
x86_64; rv:9.0.1) Gecko/20100101 Firefox/ 
9.0.1 
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IP Correlation 



FRJ Hits Analysis, kjb MUTANTBROTH TDIs.ktr 




► II ■ ti * 1? 4J. I£ 3 100% 
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[Hide the execution results panel 



Get rows tom result 
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Multi-Threads Cut justification to 150 chars MUTANXBROTH Filter Enmity Result MBRawResults Sort by Sequence Group TDIs/UserAgents 



rr ^ ( 



Error Handling Ignore Empty Result 





Groups 
S 

s 
a 

m 

El Mozilla/4,0 (compatible; MSIE 6.0; Wir 
[ 2 ) 

i) 

a Mozilla/4.0 (compatible; MSIE 8.0; Wit 

^■(5) 



Document Jjnk 
archive . org/almapl . mp4 
archive . org /almapl . mp4 
archive . org/almapl . mp4 
archive . org /almapl . mp4 
archive . org /almapl . mp4 
archive . org /almapl . mp4 
archive .org/almapl . mp4 
archive .org/almapl . mp4 
archive.org/almapl.mp4 
archive . org/almapl . mp4 



Document_Titie/Description 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 



EVENTJIMESTAMP 
Wed Mar 28 18:32:32 GMT 2012 
Wed Mar 28 18:32:32 GMT 2012 
Wed Mar 28 18:32:32 GMT 2012 
Wed Mar 28 18:32:32 GMT 2012 
Wed Mar 28 18:23:42 GMT 2012 
Wed Mar 28 18:23:42 GMT 2012 
Wed Mar 28 18:23:42 GMT 2012 
Wed Mar 28 18:23:42 GMT 2012 
Wed Mar 28 18:23:42 GMF 2012 
Wed Mar 28 18:23:42 GMT 2012 



ACTIVITY DATE 
2012-03-28TT18:18:00Z 
2012-03-28T 18: 18:00Z 
20 12-03-28T 18:18: 17Z 
20 12-03-28T 18: 18: 17Z 
2012-03-28T 18:09: 27Z 
2012-03-28T18:09:27Z 
2012-03-28T 13: 18:00Z 
2012-03-23T 18: 18:00Z 
20 12-03-2ST 18: 18:00Z 
20 12-03-28T 18:18: 17Z 



Confidence_Number 

1.0 

1.0 

1.0 

1.0 

0.5 

0.5 

0.5 

0.5 

0.5 

0.5 



ACTIVE USER 
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Automated analysis documentation 
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W 

What happens then? 

Compare control and experimental groups to 
show statistical differences 

Analyse experimental group to determine 
statistical power of the hypothesis 

Assemble selectors across all hypotheses 

Rank selectors according to the number and 
power of the hypothesis behaviors they show 

Deliver an ordered list of suspects to OCT 
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Scoreboard 



Hypotheses 




Known 



New 
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lit 




Successes 



An HTTP-referred URL gave us a German 
hostage video from a previously unknown 
target. 

An upload event gave us an 

AQIM's hostage strategy. The resulting report 
was disseminated widely including by the CIA 
to their counterparts overseas. 
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The End 



Team Lead: 

(WBI^M(5)cse-cst.gc.ca) 






cse-cst.gc.ca) 







